Reevaluating Risk Management in Financial Services: Dispelling Myths about Operational Resilience

By Michael Coates (pictured), Solution Architect, Aiven ANZ

Considering the impending tightening of operating regulations in Australia, financial services organisations are in a race against time to fortify their risk management and compliance strategies.

This urgency is underscored by recent research revealing that the financial sector accounted for the second-highest number of data breaches in Australia in the last quarter. The government’s proactive measures to bolster resilience are evident in the upcoming CPS 230 regulation. This regulation, set to be effective from 1 July 2025, will introduce new risk management requirements for all entities regulated by the Australian Prudential Regulation Authority (APRA).

To successfully navigate these evolving regulatory demands and lay the groundwork for future growth, APRA-regulated entities must strategically invest in technology solutions that bolster governance, risk, and compliance. However, this journey is fraught with misconceptions, particularly around two major areas of vulnerability – running outdated and unsupported software, and the risk of single-supplier failure or vendor lock-in.

Misconception #1: Underestimating the Impact of Outdated Software

A recurring pain point with FSI organisations is running outdated software systems. A surprising number of Australian businesses continue to run outdated software which can lead to issues with compatibility or a violation of security policies. Regular software updates are heavily encouraged to remove this risk. However, updates require outages and a significant depth of knowledge, which can too easily be given as a valid rationale for postponing updates. Organisations are more likely to run the risk of using outdated software rather than inconveniencing customers with significant downtime periods. This played out recently when a major telecommunication organisation hadn’t maintained upgrades to their servers and software, which led to a significant server crash. This left millions of customers without mobile or internet for several hours.

This issue not only creates operational hurdles but also has significant reputational and compliance consequences as regulations tighten. For example, under the new regulation, actions like this would be a breach, especially around technology refresh management. An unpatched system is an insecure system and fails to meet regulatory requirements for Information Security.

Misconception #2: Underestimating the Risks of Vendor Lock-In and Single-Supplier Dependency

FSIs are most likely to end up in a vendor lock-in due to a smaller number of vendors they engage with to remove themselves from acting as a system integrator. However, putting all data into one vendor opens FSIs up to risk in terms of regions going offline, losing pricing leverage and the ability to make a deal.

As regulations change, this is further incentive to choose technologies that are vendor agnostic, that are easy to resource, and ensure the resourcing for technologies also isn’t coming from single providers. Open-source software presents a compelling argument for both improving operational efficiencies and protection against vendor lock-in, so data can flow freely and ensure compliance requirements are adhered to.

When FSI organisations are not using open-source software it’s generally because they don’t have a defined support path or have fears around security and updates. However, open source can be a powerful ally in staying up to date with compliance needs and offering greater support to improve business outcomes.

The Impact of FSI Risk Regulations

In a market with tightening regulations, FSIs need to identify managed platforms that leverage open-source technologies and take care of automated maintenance and updates on a weekly basis, so that organisations are always running supported software. Some companies provide updates and information for when the end-of-life for certain platforms will occur so that financial service organisations can plan for any downtime that is needed months in advance.

When it comes to single supplier failure, these managed platforms step into these supplier arrangements to run across multiple clouds – in line with financial regulations – so organisations can easily migrate data between their service providers, be that AWS, Google, MS Azure, Oracle or others, in a matter of minutes.

IDC has calculated that the benefit to one of our customers for using a data management platform is in the region of more than $1.68 million per year, with a 340% three-year return on investment. By reducing downtime and keeping the organisation in the know, these managed platforms provide incomprehensible value.

When considering future proofing against changing regulations and risk, financial service organisations in Australia and New Zealand should consider strategies that leverage open-source technologies but also reduce pain points associated with ongoing management and maintenance. Smarter decisions upfront can help to reduce the risk of single supplier failure while also offering significant financial and performance advantages.